We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

PCI DSS is a contractual standard, comprised of minimum technical and operational requirements, for the protection of payment card data issued by the major payment brands (e.g. Visa, MasterCard and American Express). Compliance with PCI DSS is required by the contracts governing participation in payment card systems, and applies to merchants who accept payment card transactions and other organizations that store or process payment card data. Failure to comply with PCI DSS can result in serious adverse consequences (e.g. contractual financial assessments and liabilities for resulting financial harm).

Incident Response Plan

PCI DSS requires that an organization implement an incident response plan so that the organization is prepared to respond immediately to a cardholder data security incident, and specifies the following minimum requirements:

General: The plan must include: (a) roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands; (b) specific incident response procedures; (c) business recovery and continuity procedures; (d) data backup processes; (e) analysis of legal requirements for reporting data security incidents; (f) coverage and responses of all critical system components; and (g) additional procedures required by relevant payment brands. Guidance explains that the plan should be thorough and contain all the key elements to allow an organization to respond effectively to a data security incident.

Monitoring/Responding: The plan must include procedures for monitoring and responding to alerts from security monitoring systems. Guidance explains that monitoring systems that focus on potential data risks are critical in taking quick action to prevent a breach and must be included in incident response processes.

Personnel: The plan must be disseminated, read and understood by properly trained personnel, and designated personnel must be available on a 24/7 basis to respond to alerts of possible data security incidents. Guidance explains that untrained personnel can exacerbate a data security incident and hinder a post-incident investigation.

Testing: The plan must be tested at least annually, including by reviewing the plan, examining related procedures and interviewing personnel, to verify that the organization is prepared to respond immediately to a data security incident and that the plan and related procedures were followed for previously reported incidents.

Continuous Improvement: There must be a process to modify and evolve the plan according to lessons learned after each data security incident, and to incorporate industry developments, so that the plan is current and capable of handling emerging threats and security trends.

Payment Brand Requirements

In addition to PCI DSS requirements, each payment card brand has its own detailed, specific requirements for responding to an actual or reasonably suspected data security incident. Those requirements include specific notice and reporting obligations, cooperation with investigations by one of the payment brand's designated assessors and other time-specific procedures.

Comment

A comprehensive, practiced and tested incident response plan is essential for a timely, effective response to a data security incident. The basic requirements for incident response plans imposed by PCI DSS do not include important technical detail and do not identify fundamental legal considerations relevant to incident response planning and preparation, such as legal compliance considerations, procedures to collect and preserve admissible evidence and practices for properly protecting privileged communications. Organizations should obtain appropriate technical and legal advice when preparing an incident response plan.

Related topic hubs

Compare jurisdictions: Data Security & Cybercrime

"Lexology is a very relevant and interesting resource for South African in-house lawyers. The newsfeeds are a good measure of a firm's expertise and offer an interesting insight into recent legal developments. I would highly recommend Lexology to colleagues."